From 6b0de67c9e1aafad9917d26204b6a4e3058815a3 Mon Sep 17 00:00:00 2001
From: Collin Brittle <cnbrittle@gmail.com>
Date: Mon, 5 May 2025 11:25:07 -0400
Subject: [PATCH] Removes s3:HeadObject

HeadObject is an API function which relies on the s3:GetObject permission.
s3:HeadObject was granted in places that already also granted s3:GetObject.

The ECS task policy also grants the s3:ListBucket permission twice, so
the repeat is removed.
---
 projects/infra/modules/iam/main.tf | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/projects/infra/modules/iam/main.tf b/projects/infra/modules/iam/main.tf
index bd0a4df..ad36cce 100644
--- a/projects/infra/modules/iam/main.tf
+++ b/projects/infra/modules/iam/main.tf
@@ -47,7 +47,6 @@ resource "aws_iam_policy" "create_job_policy" {
         Effect = "Allow"
         Action = [
           "s3:GetObject",
-          "s3:HeadObject",
           "s3:ListBucket",
         ]
         Resource = [
@@ -296,7 +295,6 @@ resource "aws_iam_policy" "get_presigned_url_policy" {
         Effect = "Allow"
         Action = [
           "s3:GetObject",
-          "s3:HeadObject",
           "s3:ListBucket",
         ]
         Resource = [
@@ -439,7 +437,6 @@ resource "aws_iam_policy" "ecs_task_policy" {
         Effect = "Allow"
         Action = [
           "s3:GetObject",
-          "s3:HeadObject",
           "s3:ListBucket",
         ]
         Resource = [
@@ -447,15 +444,6 @@ resource "aws_iam_policy" "ecs_task_policy" {
           "${var.uploads_bucket_arn}/*",
         ]
       },
-      {
-        Effect = "Allow"
-        Action = [
-          "s3:ListBucket"
-        ]
-        Resource = [
-          var.uploads_bucket_arn
-        ]
-      },
       {
         Effect = "Allow"
         Action = [
@@ -583,7 +571,6 @@ resource "aws_vpc_endpoint_policy" "s3_policy" {
         Action = [
           "s3:GetObject",
           "s3:ListBucket",
-          "s3:HeadObject",
         ]
         Resource = "*"
       }